[
https://issues.apache.org/jira/browse/YARN-6930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16118300#comment-16118300
]
Shane Kumpf commented on YARN-6930:
-----------------------------------
Thanks for the comments, [[email protected]]. I will get those
assertions added.
{quote}
I am wondering whether it would be a good idea to specify the user as well not
just enabling a runtime in general. I could imagine that an admin allows Docker
runtime only for specific users first...
{quote}
I think there could be value in an ACL model for container runtimes, however,
there are additional issues regarding user squashing that need to be addressed
before the feature is very useful. Let's address that in a different issue if
that works for you?
I'll also note that there are differences in implementation between the Java
Sandbox and Docker runtimes, so I have not changed the behavior of the existing
runtime selection with this patch. One of the considerations when developing
the docker runtime was the ability to control the runtime per container as
opposed to per application/cluster; i.e. AM's run as regular process based
containers, while map and reduce task containers run using the docker runtime.
The java sandbox based runtime takes a different approach and is enabled
through configuration. This may be appropriate for the java sandbox runtime,
but I don't want to change the way the docker runtime selection works today,
which is why I decided not to introduce the docker-mode config and instead
check the allowed runtimes after selection.
> Admins should be able to explicitly enable specific LinuxContainerRuntime in
> the NodeManager
> --------------------------------------------------------------------------------------------
>
> Key: YARN-6930
> URL: https://issues.apache.org/jira/browse/YARN-6930
> Project: Hadoop YARN
> Issue Type: Improvement
> Components: nodemanager
> Reporter: Vinod Kumar Vavilapalli
> Assignee: Shane Kumpf
> Attachments: YARN-6930.001.patch
>
>
> Today, in the java land, all LinuxContainerRuntimes are always enabled when
> using LinuxContainerExecutor and the user can simply invoke anything that
> he/she wants - default, docker, java-sandbox.
> We should have a way for admins to explicitly enable only specific runtimes
> that he/she decides for the cluster. And by default, we should have
> everything other than the default one disabled.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
